Here's a list of my suggestions, none of which are particularly linux centric:
* Run something with patches. If you think patches might stop (like say for
fedora) before you want to reinstall pick an OS with longer support (like
say centos, debian stable, or ubuntu LTS (all 5 years afaik).
* Disable password logins via ssh, use a cert if you want to login remotely.
* Use a good passphrase to protect your cert
* Only keep your private key/cert on machines you trust.
* Set a secure user and root password (not strongly word based, and no zero
instead of O doesn't make a dictionary word secure). Do not type that
password anywhere else. Do not share that password with any other
machine/service that you don't trust
* if you check email from less secure computers use a different password
than your user/root password.
* nmap your laptop remotely. Ideally nothing but ssh would be open, or a
service that you are familiar with and you have a reason to run.
* spend the absolute minimal time as root, don't download random binaries from
random places and run them as root.
* If you build things from source in /opt/src and install them in /opt/pkg
make both of those directories owned by a system (non-root) user, then
run the ./configure;make;make install as that user.
* Use firefox 3, read all dialogs, never type any username/password without
checking that SSL is used, the URLs look right, and firefox is happy with
the certificate. Do NOT assume that your bank, your email account, or
related probably forgot to renew a cert, click ok, and login anyways.
* If firefox asks if you want to execute something from a website, say no.
* If something triggers a please type the root/user password dialog and you
do not know exactly what and why, believe in both the source and the reason
say no.
* No matter what the explanation, do not ever send your username/password
to anyone for any reason.
* Assume every machine you do not personally admin is hacked.
* If someone you don't know says that this really cool video (storm footage,
earthquakes, twin towers, embarassing political videos, tsunamis,
aliens, or whatever) just requires you to install a binary... don't. If
the standard tools like mplayer, vlc, and friends can't play it, it's likely
not worth playing.
* Do not accept a binary from anyone you wouldn't give your social security
number and a credit card to.
* Anything you aren't positive about run as a different user, logout, login,
tinker with it.
* patch when patches come out, most environments will put up a notification on
the default desktop.
* Unless your browser says you are using SSL or you are using ssh, assume
every byte that comes to/from your computer over the network is being
recorded, redirected, and maliciously changed.
* backup the stuff you care about, I'd suggest at least /home and /etc. Keep
at least 2 copies, ideally in at least 2 places. Even rsync is fine for
this, or one of a zillion backup programs.
* Keep your laptop as physically secure as possible
If you are more paranoid:
* Install from CD
* make sure you are behind a firewall/ip nat/masq (not internet visible)
* patch
The above should be plenty to keep most linux users from getting hacked.
If you want to be more paranoid and learn more about a system:
* run ps, get familiar with all processes running
* read /var/log/*, get familiar with that.
* watch your network traffic lights on your dsl/cable/modem, figure out why
and what is using your network.
* run strace on existing processes
* run lsof on existing processes
* run tcpdump and watch your network connection
* run snort
* run df, or related utilities to analyze storage. Figure out how much you
use and where it is.
For the very paranoid (I don't do this):
* encrypt your disk
* boot from trusted media, build a tripwire database, write it to write once
media, then periodicially verify that things that shouldn't change don't.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech